Discussion:
Query regarding to audit netlink call
Add Reply
Avinash Patwari
2018-11-26 07:09:57 UTC
Reply
Permalink
Hi,

I wrote a program to listen to iptables modification through netlink
sockets, for this I used NETLINK_AUDIT family, when I execute the program
and modify the iptables rule, program doesn't receive any message from
kernel and it will be in blocking mode only. Could you help me to find what
is wrong in this program or what else I need to do to receive iptables
notification ?

I ran this program as a root user & audit deamon is also running.

ps -eaf | grep -i auditd

root 499 2 0 Nov16 ? 00:00:00 [kauditd]

root 926 1 0 Nov16 ? 00:00:00 /sbin/auditd -n


I tried configuring auditctl setting as well directly using auditctl
command & can see the modifcation with "ausearch -k iptablesChange" command
output but notification is not received in application.

Here is the program :-

#include "libaudit.h"

#include <stdio.h>#include <string.h>#include <unistd.h>
int main(){
int rc;
struct audit_message rep;
int fd;
struct sockaddr_nl sa;

memset(&sa, 0, sizeof(sa));
sa.nl_family = AF_NETLINK;
sa.nl_groups = 0;

fd = audit_open();

bind(fd, (struct sockaddr *) &sa, sizeof(sa));

rc = audit_get_reply(fd, &rep, GET_REPLY_BLOCKING, 0);
if(rc < 0)
{
printf("Error");
}
else
{
printf("msg received %d \n",rep.nlh.nlmsg_type );
break;
}


audit_close(fd);

return 0;}

Thanks,Avinash
Steve Grubb
2018-11-26 16:16:05 UTC
Reply
Permalink
Post by Avinash Patwari
Hi,
I wrote a program to listen to iptables modification through netlink
sockets, for this I used NETLINK_AUDIT family, when I execute the program
and modify the iptables rule, program doesn't receive any message from
kernel and it will be in blocking mode only. Could you help me to find what
is wrong in this program or what else I need to do to receive iptables
notification ?
To receive audit events, you have to register your program as the audit
daemon by setting the audit pid via audit_set_pid() . Then you will get
events. All of them. That might be disruptive if you needed auditing. In that
case, you have 2 options. Write your program as a plugin to the audit daemon.
There is example code here:

https://github.com/linux-audit/audit-userspace/tree/master/contrib/plugin

The other option is to open a connection to the audit multicast socket as
systemd's journal does. You might look at it for example code.

-Steve
Post by Avinash Patwari
I ran this program as a root user & audit deamon is also running.
ps -eaf | grep -i auditd
root 499 2 0 Nov16 ? 00:00:00 [kauditd]
root 926 1 0 Nov16 ? 00:00:00 /sbin/auditd -n
I tried configuring auditctl setting as well directly using auditctl
command & can see the modifcation with "ausearch -k iptablesChange" command
output but notification is not received in application.
Here is the program :-
#include "libaudit.h"
#include <stdio.h>#include <string.h>#include <unistd.h>
int main(){
int rc;
struct audit_message rep;
int fd;
struct sockaddr_nl sa;
memset(&sa, 0, sizeof(sa));
sa.nl_family = AF_NETLINK;
sa.nl_groups = 0;
fd = audit_open();
bind(fd, (struct sockaddr *) &sa, sizeof(sa));
rc = audit_get_reply(fd, &rep, GET_REPLY_BLOCKING, 0);
if(rc < 0)
{
printf("Error");
}
else
{
printf("msg received %d \n",rep.nlh.nlmsg_type );
break;
}
audit_close(fd);
return 0;}
Thanks,Avinash
Avinash Patwari
2018-11-28 08:30:51 UTC
Reply
Permalink
Hi Steve,

Thanks for your suggestion.

I tried by passing audit deamon process id in audit_set_pid call but still
i didn't receive any iptable modification notification,what else we need to
do to receive notification ?

Could please also share the right configuration for iptable notifications ?

I didn't get your suggestion with 2 options,could you please elaborate more
?

Br,
avinash
Post by Steve Grubb
Post by Avinash Patwari
Hi,
I wrote a program to listen to iptables modification through netlink
sockets, for this I used NETLINK_AUDIT family, when I execute the program
and modify the iptables rule, program doesn't receive any message from
kernel and it will be in blocking mode only. Could you help me to find
what
Post by Avinash Patwari
is wrong in this program or what else I need to do to receive iptables
notification ?
To receive audit events, you have to register your program as the audit
daemon by setting the audit pid via audit_set_pid() . Then you will get
events. All of them. That might be disruptive if you needed auditing. In that
case, you have 2 options. Write your program as a plugin to the audit daemon.
https://github.com/linux-audit/audit-userspace/tree/master/contrib/plugin
The other option is to open a connection to the audit multicast socket as
systemd's journal does. You might look at it for example code.
-Steve
Post by Avinash Patwari
I ran this program as a root user & audit deamon is also running.
ps -eaf | grep -i auditd
root 499 2 0 Nov16 ? 00:00:00 [kauditd]
root 926 1 0 Nov16 ? 00:00:00 /sbin/auditd -n
I tried configuring auditctl setting as well directly using auditctl
command & can see the modifcation with "ausearch -k iptablesChange"
command
Post by Avinash Patwari
output but notification is not received in application.
Here is the program :-
#include "libaudit.h"
#include <stdio.h>#include <string.h>#include <unistd.h>
int main(){
int rc;
struct audit_message rep;
int fd;
struct sockaddr_nl sa;
memset(&sa, 0, sizeof(sa));
sa.nl_family = AF_NETLINK;
sa.nl_groups = 0;
fd = audit_open();
bind(fd, (struct sockaddr *) &sa, sizeof(sa));
rc = audit_get_reply(fd, &rep, GET_REPLY_BLOCKING, 0);
if(rc < 0)
{
printf("Error");
}
else
{
printf("msg received %d \n",rep.nlh.nlmsg_type );
break;
}
audit_close(fd);
return 0;}
Thanks,Avinash
Loading...